>как сделать active ftp через NATD ipfw для внутренних пользователей это пойдет?
-punch_fw basenumber:count
This option directs natd to ``punch holes'' in an
ipfirewall(4) based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall
rules which allow a particular connection (and only that con-
nection) to go through the firewall. The rules are removed
once the corresponding connection terminates.
A maximum of count rules starting from the rule number
basenumber will be used for punching firewall holes. The
range will be cleared for all rules on startup.